Add sshd impossible travel (#825)

* Add sshd impossible travel * Fix test * Add mitre labels * change logint to auth
crowdsecurity · Dec 12, 2023 · b1844a1 · b1844a1
1 parent 3a2b87f
commit b1844a1
Show file tree

Hide file tree

Showing 20 changed files with 404 additions and 0 deletions.
diff --git a/.tests/sshd-impossible-travel-user/config.yaml b/.tests/sshd-impossible-travel-user/config.yaml
@@ -0,0 +1,10 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- crowdsecurity/geoip-enrich
+- ./parsers/s01-parse/crowdsecurity/sshd-success-logs.yaml
+scenarios:
+- "./scenarios/crowdsecurity/impossible-travel-user.yaml"
+log_file: sshd-success-logs.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/sshd-impossible-travel-user/parser.assert b/.tests/sshd-impossible-travel-user/parser.assert
diff --git a/.tests/sshd-impossible-travel-user/scenario.assert b/.tests/sshd-impossible-travel-user/scenario.assert
@@ -0,0 +1,31 @@
+len(results) == 1
+"vagrant" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["vagrant"].IP == ""
+results[0].Overflow.Sources["vagrant"].Range == ""
+results[0].Overflow.Sources["vagrant"].GetScope() == "username"
+results[0].Overflow.Sources["vagrant"].GetValue() == "vagrant"
+results[0].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false"
+results[0].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshd-success-logs.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "bullseye"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-06T09:57:21Z"
+results[0].Overflow.Alert.Events[0].GetMeta("user") == "vagrant"
+results[0].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0"
+results[0].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false"
+results[0].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sshd-success-logs.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "bullseye"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-06T09:57:24Z"
+results[0].Overflow.Alert.Events[1].GetMeta("user") == "vagrant"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel-user"
+results[0].Overflow.Alert.Remediation == false
+results[0].Overflow.Alert.GetEventsCount() == 2
diff --git a/.tests/sshd-impossible-travel-user/sshd-success-logs.log b/.tests/sshd-impossible-travel-user/sshd-success-logs.log
@@ -0,0 +1,2 @@
+Sep  6 09:57:21 bullseye sshd[581]: Accepted publickey for vagrant from 1.2.3.4 port 56296 ssh2: RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA
+Sep  6 09:57:24 bullseye sshd[812]: Accepted publickey for vagrant from 9.8.8.8 port 56302 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM
diff --git a/.tests/sshd-impossible-travel/config.yaml b/.tests/sshd-impossible-travel/config.yaml
@@ -0,0 +1,10 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- crowdsecurity/geoip-enrich
+- ./parsers/s01-parse/crowdsecurity/sshd-success-logs.yaml
+scenarios:
+- "./scenarios/crowdsecurity/impossible-travel.yaml"
+log_file: sshd-success-logs.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/sshd-impossible-travel/parser.assert b/.tests/sshd-impossible-travel/parser.assert
diff --git a/.tests/sshd-impossible-travel/scenario.assert b/.tests/sshd-impossible-travel/scenario.assert
@@ -0,0 +1,36 @@
+len(results) == 1
+"1.2.3.4" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4"
+results[0].Overflow.Sources["1.2.3.4"].Range == ""
+results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip"
+results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4"
+"9.8.8.8" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["9.8.8.8"].IP == "9.8.8.8"
+results[0].Overflow.Sources["9.8.8.8"].Range == ""
+results[0].Overflow.Sources["9.8.8.8"].GetScope() == "Ip"
+results[0].Overflow.Sources["9.8.8.8"].GetValue() == "9.8.8.8"
+results[0].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false"
+results[0].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "sshd-success-logs.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "bullseye"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-06T09:57:21Z"
+results[0].Overflow.Alert.Events[0].GetMeta("user") == "vagrant"
+results[0].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0"
+results[0].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false"
+results[0].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "sshd-success-logs.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "bullseye"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-06T09:57:24Z"
+results[0].Overflow.Alert.Events[1].GetMeta("user") == "vagrant"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel"
+results[0].Overflow.Alert.Remediation == false
+results[0].Overflow.Alert.GetEventsCount() == 2
diff --git a/.tests/sshd-impossible-travel/sshd-success-logs.log b/.tests/sshd-impossible-travel/sshd-success-logs.log
@@ -0,0 +1,2 @@
+Sep  6 09:57:21 bullseye sshd[581]: Accepted publickey for vagrant from 1.2.3.4 port 56296 ssh2: RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA
+Sep  6 09:57:24 bullseye sshd[812]: Accepted publickey for vagrant from 9.8.8.8 port 56302 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM
diff --git a/.tests/sshd-success-logs/config.yaml b/.tests/sshd-success-logs/config.yaml
@@ -0,0 +1,8 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- ./parsers/s01-parse/crowdsecurity/sshd-success-logs.yaml
+scenarios:
+- ""
+log_file: sshd-success-logs.log
+log_type: syslog
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Sep 6 09:57:21 bullseye sshd[581]: Accepted publickey for vagrant from 1.2.3.4 port 56296 ssh2: RSA SHA256:1M4RzhMyWuFS/86uPY/ce2prh/dVTHW7iD2RhpquOZA
		Sep 6 09:57:24 bullseye sshd[812]: Accepted publickey for vagrant from 9.8.8.8 port 56302 ssh2: RSA SHA256:kzfjfps/WFgXAdNgzvHBLuI072Y+f+91rpinXJAAvkM